devsecops

Implementing Policy as Code with Open Policy Agent

This skill covers implementing Open Policy Agent (OPA) and Gatekeeper for policy-as-code enforcement in Kubernetes and CI/CD pipelines. It addresses writing Rego policies, deploying OPA Gatekeeper as a Kubernetes admission controller, testing policies in development, and integrating policy evaluation into deployment pipelines.

cicddevsecopsgatekeeperkubernetesopapolicy-as-codesecure-sdlc
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When enforcing organizational security policies across Kubernetes clusters programmatically
  • When requiring admission control that blocks non-compliant resources from being created
  • When implementing policy governance that can be version-controlled, tested, and audited
  • When standardizing security rules across multiple clusters and environments
  • When needing a flexible policy engine that extends beyond Kubernetes to APIs and CI/CD

Do not use for vulnerability scanning (use Trivy/Checkov), for runtime threat detection (use Falco), or for network policy enforcement (use Kubernetes NetworkPolicy or Calico).

Prerequisites

  • Kubernetes cluster with admin access for Gatekeeper installation
  • Helm for Gatekeeper deployment
  • OPA CLI or conftest for local policy testing
  • Rego knowledge for policy authoring

Workflow

Step 1: Install OPA Gatekeeper

# Install Gatekeeper via Helm
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper gatekeeper/gatekeeper \
  --namespace gatekeeper-system --create-namespace \
  --set replicas=3 \
  --set audit.replicas=1 \
  --set audit.writeToRAMDisk=true

Step 2: Create Constraint Templates

# templates/k8s-required-labels.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("Missing required labels: %v", [missing])
        }
 
---
# templates/k8s-container-limits.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8scontainerlimits
spec:
  crd:
    spec:
      names:
        kind: K8sContainerLimits
      validation:
        openAPIV3Schema:
          type: object
          properties:
            cpu:
              type: string
            memory:
              type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8scontainerlimits
        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          not container.resources.limits.cpu
          msg := sprintf("Container %v has no CPU limit", [container.name])
        }
        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          not container.resources.limits.memory
          msg := sprintf("Container %v has no memory limit", [container.name])
        }
 
---
# templates/k8s-block-privileged.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sblockprivileged
spec:
  crd:
    spec:
      names:
        kind: K8sBlockPrivileged
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sblockprivileged
        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          container.securityContext.privileged == true
          msg := sprintf("Privileged container not allowed: %v", [container.name])
        }
        violation[{"msg": msg}] {
          container := input.review.object.spec.initContainers[_]
          container.securityContext.privileged == true
          msg := sprintf("Privileged init container not allowed: %v", [container.name])
        }

Step 3: Apply Constraints

# constraints/require-labels.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-team-labels
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Namespace"]
      - apiGroups: ["apps"]
        kinds: ["Deployment", "StatefulSet"]
    excludedNamespaces:
      - kube-system
      - gatekeeper-system
  parameters:
    labels:
      - "team"
      - "environment"
      - "cost-center"
 
---
# constraints/block-privileged.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockPrivileged
metadata:
  name: block-privileged-containers
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
      - apiGroups: ["apps"]
        kinds: ["Deployment", "DaemonSet", "StatefulSet"]
    excludedNamespaces:
      - kube-system

Step 4: Test Policies with conftest

# Install conftest
brew install conftest
 
# Test Kubernetes manifests against OPA policies locally
conftest test deployment.yaml --policy policies/ --output json
 
# Test Terraform against OPA policies
conftest test terraform/main.tf --policy policies/terraform/ --parser hcl2
 
# Test Dockerfiles
conftest test Dockerfile --policy policies/docker/
# policies/kubernetes/deny_latest_tag.rego
package kubernetes
 
deny[msg] {
  input.kind == "Deployment"
  container := input.spec.template.spec.containers[_]
  endswith(container.image, ":latest")
  msg := sprintf("Container %v uses :latest tag. Pin to specific version.", [container.name])
}
 
deny[msg] {
  input.kind == "Deployment"
  container := input.spec.template.spec.containers[_]
  not contains(container.image, ":")
  msg := sprintf("Container %v has no tag. Pin to specific version.", [container.name])
}

Step 5: Integrate Policy Testing in CI/CD

# .github/workflows/policy-test.yml
name: Policy Validation
 
on:
  pull_request:
    paths: ['k8s/**', 'terraform/**', 'policies/**']
 
jobs:
  conftest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install conftest
        run: |
          wget -q https://github.com/open-policy-agent/conftest/releases/download/v0.50.0/conftest_0.50.0_Linux_x86_64.tar.gz
          tar xzf conftest_0.50.0_Linux_x86_64.tar.gz
          sudo mv conftest /usr/local/bin/
      - name: Test K8s manifests
        run: conftest test k8s/**/*.yaml --policy policies/kubernetes/ --output json
      - name: Test Terraform
        run: conftest test terraform/*.tf --policy policies/terraform/ --parser hcl2

Key Concepts

Term Definition
OPA Open Policy Agent — general-purpose policy engine using Rego language for policy decisions
Rego OPA's declarative query language for writing policy rules
Gatekeeper Kubernetes-native OPA integration implementing admission control via ConstraintTemplates
ConstraintTemplate CRD defining the Rego policy logic and parameters schema for a class of constraints
Constraint Instance of a ConstraintTemplate with specific parameters and scope (which resources to check)
Admission Controller Kubernetes component that intercepts API requests before persistence and can allow or deny them
conftest CLI tool for testing structured data (YAML, JSON, HCL) against OPA policies

Tools & Systems

  • Open Policy Agent (OPA): General-purpose policy engine for unified policy enforcement
  • Gatekeeper: Kubernetes admission controller built on OPA with CRD-based configuration
  • conftest: Testing framework for OPA policies against configuration files
  • Kyverno: Alternative Kubernetes policy engine using YAML-based policies (no Rego required)
  • Styra DAS: Commercial OPA management platform with policy authoring, testing, and distribution

Common Scenarios

Scenario: Enforcing Container Security Standards Across Clusters

Context: Multiple development teams deploy to shared Kubernetes clusters. Some teams run privileged containers and images without resource limits, causing security and stability issues.

Approach:

  1. Deploy Gatekeeper on all clusters via GitOps (Helm chart in a FluxCD repository)
  2. Create ConstraintTemplates for: no privileged containers, required resource limits, required labels, no latest tag
  3. Start with enforcementAction: warn to identify violations without blocking deployments
  4. Notify teams of violations and provide a 2-week remediation window
  5. Switch to enforcementAction: deny after the remediation period
  6. Add excludedNamespaces for kube-system and monitoring namespaces

Pitfalls: Deploying Gatekeeper with deny mode immediately can break existing workloads. Always start with warn mode. Overly restrictive policies without exemptions for system namespaces can prevent cluster components from functioning.

Output Format

OPA Policy Evaluation Report
==============================
Cluster: production-east
Date: 2026-02-23
Gatekeeper Version: 3.16.0
 
CONSTRAINT SUMMARY:
  K8sRequiredLabels:        12 violations (warn)
  K8sBlockPrivileged:        0 violations (deny)
  K8sContainerLimits:        8 violations (deny)
  K8sBlockLatestTag:         3 violations (deny)
 
BLOCKED DEPLOYMENTS (deny):
  [K8sContainerLimits] deployment/api-server in ns/payments
    - Container 'api' has no memory limit
  [K8sBlockLatestTag] deployment/frontend in ns/web
    - Container 'nginx' uses :latest tag
 
AUDIT VIOLATIONS (warn):
  [K8sRequiredLabels] namespace/staging
    - Missing labels: {cost-center}
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md4.0 KB

API Reference: Open Policy Agent (OPA) Policy-as-Code

Libraries Used

Library Purpose
requests HTTP client for OPA REST API
json Parse OPA decision responses
subprocess Run opa eval and opa test CLI commands
yaml Parse Kubernetes admission review objects

Installation

# OPA binary
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static
chmod 755 opa && sudo mv opa /usr/local/bin/
 
# Python dependencies
pip install requests pyyaml

OPA REST API Endpoints

Method Endpoint Description
PUT /v1/policies/{id} Create or update a policy module
GET /v1/policies/{id} Retrieve a policy module
DELETE /v1/policies/{id} Delete a policy module
GET /v1/policies List all policy modules
PUT /v1/data/{path} Create or overwrite a document
GET /v1/data/{path} Evaluate a rule or retrieve data
POST /v1/data/{path} Evaluate a rule with input
PATCH /v1/data/{path} Patch a data document
POST /v1/query Execute ad-hoc Rego query
POST /v1/compile Partially evaluate a query
GET /health Health check (liveness)
GET /health?bundles Health check including bundle status

Core Operations

Upload a Rego Policy

import requests
import os
 
OPA_URL = os.environ.get("OPA_URL", "http://localhost:8181")
 
policy_rego = """
package authz
 
default allow := false
 
allow if {
    input.user.role == "admin"
}
 
allow if {
    input.user.role == "editor"
    input.action == "read"
}
"""
 
resp = requests.put(
    f"{OPA_URL}/v1/policies/authz",
    data=policy_rego,
    headers={"Content-Type": "text/plain"},
    timeout=10,
)
resp.raise_for_status()

Evaluate a Policy Decision

decision_input = {
    "input": {
        "user": {"role": "editor", "name": "alice"},
        "action": "read",
        "resource": "/api/reports",
    }
}
 
resp = requests.post(
    f"{OPA_URL}/v1/data/authz/allow",
    json=decision_input,
    timeout=10,
)
result = resp.json()
allowed = result.get("result", False)  # True

Upload Data Documents

role_permissions = {
    "admin": ["read", "write", "delete", "admin"],
    "editor": ["read", "write"],
    "viewer": ["read"],
}
 
resp = requests.put(
    f"{OPA_URL}/v1/data/roles",
    json=role_permissions,
    timeout=10,
)

List All Policies

resp = requests.get(f"{OPA_URL}/v1/policies", timeout=10)
policies = resp.json().get("result", [])
for p in policies:
    print(f"  {p['id']}{len(p.get('raw', ''))} bytes")

OPA CLI Reference

# Evaluate a policy locally
opa eval -i input.json -d policy.rego "data.authz.allow"
 
# Run Rego unit tests
opa test ./policies/ -v
 
# Check policy syntax
opa check policy.rego
 
# Format Rego files
opa fmt -w policy.rego
 
# Start OPA as a server
opa run --server --addr :8181 ./policies/ ./data/
 
# Build an OPA bundle
opa build -b ./policies/ -o bundle.tar.gz

Kubernetes Gatekeeper Integration

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg}] {
          provided := {l | input.review.object.metadata.labels[l]}
          required := {l | l := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("Missing required labels: %v", [missing])
        }

Output Format

{
  "decision_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "result": true,
  "policy": "data.authz.allow",
  "input": {
    "user": {"role": "admin"},
    "action": "delete",
    "resource": "/api/users/42"
  }
}
standards.md1.1 KB

Standards Reference: Policy as Code with OPA

NIST SP 800-53 - Security and Privacy Controls

Control OPA Policy Description
AC-3 Block unauthorized access Enforce RBAC and namespace isolation
AC-6 Least privilege Block privileged containers and host access
CM-2 Baseline configuration Require resource limits and labels
CM-6 Configuration settings Enforce approved image registries
SI-7 Software integrity Require image signatures and digests

CIS Kubernetes Benchmark Mapping

  • 5.1.1: Ensure RBAC is enabled → OPA can enforce RBAC policies
  • 5.2.1: Minimize privileged containers → K8sBlockPrivileged constraint
  • 5.2.2: Minimize host namespace sharing → Block hostNetwork/hostPID
  • 5.2.5: Ensure allowPrivilegeEscalation is false → OPA constraint
  • 5.7.1: Create administrative boundaries between resources → Namespace policies

OWASP Kubernetes Security Cheat Sheet

  • Enforce Pod Security Standards via admission control
  • Restrict container capabilities using OPA policies
  • Enforce network policies and resource quotas
  • Validate image provenance and signatures
workflows.md1.9 KB

Workflow Reference: Policy as Code with OPA

Policy Lifecycle

Author Rego Policy


┌──────────────────┐
│ Unit Test with   │
│ OPA test         │
└──────┬───────────┘


┌──────────────────┐
│ Integration Test │
│ with conftest    │
└──────┬───────────┘


┌──────────────────┐
│ Deploy to Cluster│
│ (warn mode)      │
└──────┬───────────┘


┌──────────────────┐
│ Monitor + Triage │
│ Violations       │
└──────┬───────────┘


┌──────────────────┐
│ Switch to deny   │
│ mode             │
└──────────────────┘

OPA/Gatekeeper Architecture

API Request → Kubernetes API Server → Gatekeeper Webhook

                                    ┌──────┴──────┐
                                    │ OPA Engine  │
                                    │ (Rego eval) │
                                    └──────┬──────┘

                                    ┌──────┴──────┐
                                    │ Constraint  │
                                    │ Templates   │
                                    └──────┬──────┘

                                      Allow / Deny

Scripts 2

agent.py9.3 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Open Policy Agent (OPA) policy-as-code agent.

Evaluates security policies against infrastructure configurations using
the OPA REST API or CLI. Supports evaluating Rego policies for Kubernetes
admission control, Terraform plans, IAM policies, and custom security rules.
"""
import argparse
import json
import os
import subprocess
import sys
from datetime import datetime, timezone

try:
    import requests
except ImportError:
    requests = None


def find_opa_binary():
    """Locate the OPA binary on the system."""
    custom_path = os.environ.get("OPA_PATH")
    if custom_path and os.path.isfile(custom_path):
        return custom_path
    for name in ["opa", "opa.exe"]:
        for directory in os.environ.get("PATH", "").split(os.pathsep):
            full_path = os.path.join(directory, name)
            if os.path.isfile(full_path):
                return full_path
    return None


def eval_policy_cli(opa_bin, policy_path, input_path, data_path=None, query="data"):
    """Evaluate a Rego policy using OPA CLI."""
    cmd = [opa_bin, "eval", "--format", "json"]
    cmd.extend(["--bundle", policy_path])
    if input_path:
        cmd.extend(["--input", input_path])
    if data_path:
        cmd.extend(["--data", data_path])
    cmd.append(query)

    print(f"[*] Running: {' '.join(cmd)}")
    result = subprocess.run(
        cmd,
        capture_output=True,
        text=True,
        timeout=120,
    )
    if result.returncode != 0:
        print(f"[!] OPA error: {result.stderr}", file=sys.stderr)
        return None
    try:
        return json.loads(result.stdout)
    except json.JSONDecodeError:
        print(f"[!] Failed to parse OPA output", file=sys.stderr)
        return None


def eval_policy_api(opa_url, policy_path, input_data):
    """Evaluate a policy via OPA REST API."""
    if not requests:
        print("[!] 'requests' library required for API mode", file=sys.stderr)
        sys.exit(1)
    url = f"{opa_url}/v1/data/{policy_path.replace('.', '/')}"
    print(f"[*] Querying OPA API: {url}")
    resp = requests.post(
        url,
        json={"input": input_data},
        timeout=30,
    )
    resp.raise_for_status()
    return resp.json()


def test_policies(opa_bin, policy_dir):
    """Run OPA test suite against policy directory."""
    cmd = [opa_bin, "test", "--format", "json", policy_dir, "-v"]
    print(f"[*] Running policy tests: {' '.join(cmd)}")
    result = subprocess.run(
        cmd,
        capture_output=True,
        text=True,
        timeout=120,
    )
    try:
        test_results = json.loads(result.stdout)
    except json.JSONDecodeError:
        test_results = []
    return test_results, result.returncode


def check_policy_syntax(opa_bin, policy_path):
    """Check Rego policy syntax."""
    cmd = [opa_bin, "check", "--format", "json", policy_path]
    result = subprocess.run(
        cmd,
        capture_output=True,
        text=True,
        timeout=30,
    )
    if result.returncode == 0:
        print(f"[+] Policy syntax valid: {policy_path}")
        return True, []
    try:
        errors = json.loads(result.stdout)
    except json.JSONDecodeError:
        errors = [{"message": result.stderr}]
    print(f"[!] Syntax errors in {policy_path}")
    return False, errors


def extract_violations(eval_result, violation_key="violations"):
    """Extract policy violations from OPA evaluation result."""
    violations = []
    if not eval_result:
        return violations

    results = eval_result.get("result", [])
    if isinstance(results, list):
        for entry in results:
            bindings = entry.get("bindings", {})
            expressions = entry.get("expressions", [])
            for expr in expressions:
                value = expr.get("value", {})
                if isinstance(value, dict):
                    for key, val in value.items():
                        if key == violation_key and isinstance(val, list):
                            violations.extend(val)
                        elif isinstance(val, dict):
                            nested_violations = val.get(violation_key, [])
                            if isinstance(nested_violations, list):
                                violations.extend(nested_violations)
    elif isinstance(results, dict):
        violations = results.get(violation_key, [])

    return violations


def format_summary(violations, test_results, policy_path, input_path):
    """Print evaluation summary."""
    print(f"\n{'='*60}")
    print(f"  OPA Policy Evaluation Report")
    print(f"{'='*60}")
    print(f"  Policy    : {policy_path}")
    print(f"  Input     : {input_path or 'N/A'}")
    print(f"  Violations: {len(violations)}")

    if test_results:
        passed = sum(1 for t in test_results if t.get("pass", t.get("result") == "pass"))
        failed = len(test_results) - passed
        print(f"  Tests     : {passed} passed, {failed} failed")

    if violations:
        severity_counts = {}
        for v in violations:
            sev = "HIGH"
            if isinstance(v, dict):
                sev = v.get("severity", v.get("level", "HIGH"))
            severity_counts[sev] = severity_counts.get(sev, 0) + 1

        print(f"\n  Violations by Severity:")
        for sev, count in sorted(severity_counts.items()):
            print(f"    {sev:10s}: {count}")

        print(f"\n  Violation Details:")
        for v in violations[:20]:
            if isinstance(v, dict):
                msg = v.get("msg", v.get("message", str(v)))
                resource = v.get("resource", v.get("name", ""))
                sev = v.get("severity", "HIGH")
                print(f"    [{sev:6s}] {resource:30s} | {msg[:60]}")
            else:
                print(f"    {str(v)[:80]}")

    return len(violations)


def main():
    parser = argparse.ArgumentParser(
        description="Open Policy Agent policy-as-code evaluation agent"
    )
    sub = parser.add_subparsers(dest="command", help="Action")

    p_eval = sub.add_parser("eval", help="Evaluate policy against input")
    p_eval.add_argument("--policy", required=True, help="Path to Rego policy or bundle dir")
    p_eval.add_argument("--input", dest="input_file", help="Path to input JSON")
    p_eval.add_argument("--data", help="Path to external data JSON")
    p_eval.add_argument("--query", default="data", help="OPA query (default: data)")
    p_eval.add_argument("--violation-key", default="violations",
                        help="Key in result containing violations")

    p_api = sub.add_parser("api", help="Evaluate via OPA REST API")
    p_api.add_argument("--url", default="http://localhost:8181", help="OPA server URL")
    p_api.add_argument("--policy-path", required=True, help="OPA document path (e.g., authz.allow)")
    p_api.add_argument("--input", dest="input_file", required=True, help="Input JSON file")

    p_test = sub.add_parser("test", help="Run OPA test suite")
    p_test.add_argument("--policy-dir", required=True, help="Directory containing policies and tests")

    p_check = sub.add_parser("check", help="Check Rego syntax")
    p_check.add_argument("--policy", required=True, help="Policy file or directory")

    parser.add_argument("--output", "-o", help="Output JSON report path")
    parser.add_argument("--verbose", "-v", action="store_true")
    args = parser.parse_args()

    if not args.command:
        parser.print_help()
        sys.exit(1)

    opa_bin = find_opa_binary()
    violations = []
    test_results = []

    if args.command == "eval":
        if not opa_bin:
            print("[!] OPA binary not found", file=sys.stderr)
            sys.exit(1)
        eval_result = eval_policy_cli(
            opa_bin, args.policy, args.input_file, args.data, args.query
        )
        violations = extract_violations(eval_result, args.violation_key)
        format_summary(violations, [], args.policy, args.input_file)

    elif args.command == "api":
        with open(args.input_file, "r") as f:
            input_data = json.load(f)
        eval_result = eval_policy_api(args.url, args.policy_path, input_data)
        violations = extract_violations(eval_result)
        format_summary(violations, [], args.policy_path, args.input_file)

    elif args.command == "test":
        if not opa_bin:
            print("[!] OPA binary not found", file=sys.stderr)
            sys.exit(1)
        test_results, returncode = test_policies(opa_bin, args.policy_dir)
        format_summary([], test_results, args.policy_dir, None)

    elif args.command == "check":
        if not opa_bin:
            print("[!] OPA binary not found", file=sys.stderr)
            sys.exit(1)
        valid, errors = check_policy_syntax(opa_bin, args.policy)
        if not valid:
            for e in errors:
                print(f"    Error: {e}")

    report = {
        "timestamp": datetime.now(timezone.utc).isoformat(),
        "tool": "Open Policy Agent",
        "command": args.command,
        "violations_count": len(violations),
        "violations": violations,
        "test_results": test_results,
        "risk_level": (
            "CRITICAL" if len(violations) > 10
            else "HIGH" if len(violations) > 0
            else "LOW"
        ),
    }

    if args.output:
        with open(args.output, "w") as f:
            json.dump(report, f, indent=2)
        print(f"\n[+] Report saved to {args.output}")
    elif args.verbose:
        print(json.dumps(report, indent=2))


if __name__ == "__main__":
    main()
process.py5.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
OPA Policy Evaluation Pipeline Script

Runs conftest against Kubernetes manifests and Terraform files,
evaluates policy compliance, and generates reports.

Usage:
    python process.py --manifests-dir ./k8s --policies-dir ./policies
    python process.py --manifests-dir ./terraform --policies-dir ./policies --parser hcl2
"""

import argparse
import json
import os
import subprocess
import sys
from dataclasses import dataclass, field
from datetime import datetime, timezone
from pathlib import Path


@dataclass
class PolicyViolation:
    file: str
    rule: str
    message: str
    severity: str = "HIGH"


def run_conftest(manifests_dir: str, policies_dir: str,
                 parser: str = "yaml") -> dict:
    """Run conftest and return JSON results."""
    files = []
    extensions = {"yaml": [".yaml", ".yml"], "hcl2": [".tf"], "dockerfile": ["Dockerfile"]}
    for ext in extensions.get(parser, [".yaml", ".yml"]):
        files.extend(str(p) for p in Path(manifests_dir).rglob(f"*{ext}"))

    if not files:
        return {"results": [], "error": f"No {parser} files found in {manifests_dir}"}

    cmd = [
        "conftest", "test",
        "--policy", policies_dir,
        "--output", "json",
        "--parser", parser
    ] + files

    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
        if proc.stdout:
            return {"results": json.loads(proc.stdout), "error": ""}
        return {"results": [], "error": proc.stderr[:300]}
    except subprocess.TimeoutExpired:
        return {"results": [], "error": "conftest timed out"}
    except FileNotFoundError:
        return {"results": [], "error": "conftest not found"}
    except json.JSONDecodeError:
        return {"results": [], "error": "Failed to parse conftest output"}


def parse_conftest_results(results: list) -> list:
    """Parse conftest JSON results into violations."""
    violations = []
    for result in results:
        filename = result.get("filename", "unknown")
        for failure in result.get("failures", []):
            violations.append(PolicyViolation(
                file=filename,
                rule=failure.get("metadata", {}).get("rule", "unknown"),
                message=failure.get("msg", ""),
                severity="HIGH"
            ))
        for warning in result.get("warnings", []):
            violations.append(PolicyViolation(
                file=filename,
                rule=warning.get("metadata", {}).get("rule", "unknown"),
                message=warning.get("msg", ""),
                severity="MEDIUM"
            ))
    return violations


def check_gatekeeper_violations(namespace: str = "") -> list:
    """Query Gatekeeper audit violations from the cluster."""
    cmd = ["kubectl", "get", "constraints", "-o", "json"]
    if namespace:
        cmd.extend(["-n", namespace])

    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        if proc.returncode != 0:
            return []

        data = json.loads(proc.stdout)
        violations = []
        for item in data.get("items", []):
            status = item.get("status", {})
            for v in status.get("violations", []):
                violations.append(PolicyViolation(
                    file=f"{v.get('kind', '')}/{v.get('name', '')}",
                    rule=item.get("kind", ""),
                    message=v.get("message", ""),
                    severity="HIGH" if item.get("spec", {}).get("enforcementAction") == "deny" else "MEDIUM"
                ))
        return violations
    except (subprocess.TimeoutExpired, FileNotFoundError, json.JSONDecodeError):
        return []


def main():
    parser = argparse.ArgumentParser(description="OPA Policy Evaluation Pipeline")
    parser.add_argument("--manifests-dir", required=True)
    parser.add_argument("--policies-dir", required=True)
    parser.add_argument("--parser", default="yaml", choices=["yaml", "hcl2", "dockerfile"])
    parser.add_argument("--output", default="policy-report.json")
    parser.add_argument("--fail-on-violations", action="store_true")
    parser.add_argument("--check-cluster", action="store_true",
                        help="Also check Gatekeeper violations in cluster")
    args = parser.parse_args()

    violations = []

    print(f"[*] Evaluating policies from {args.policies_dir} against {args.manifests_dir}")
    result = run_conftest(os.path.abspath(args.manifests_dir),
                          os.path.abspath(args.policies_dir), args.parser)

    if result.get("error"):
        print(f"[WARN] {result['error']}")
    else:
        violations.extend(parse_conftest_results(result["results"]))
        print(f"    conftest: {len(violations)} violations")

    if args.check_cluster:
        cluster_violations = check_gatekeeper_violations()
        violations.extend(cluster_violations)
        print(f"    cluster: {len(cluster_violations)} audit violations")

    report = {
        "metadata": {"date": datetime.now(timezone.utc).isoformat()},
        "summary": {
            "total_violations": len(violations),
            "high": sum(1 for v in violations if v.severity == "HIGH"),
            "medium": sum(1 for v in violations if v.severity == "MEDIUM")
        },
        "violations": [
            {"file": v.file, "rule": v.rule, "message": v.message, "severity": v.severity}
            for v in violations
        ]
    }

    output_path = os.path.abspath(args.output)
    with open(output_path, "w") as f:
        json.dump(report, f, indent=2)
    print(f"[*] Report: {output_path}")

    passed = len(violations) == 0
    print(f"\n[{'PASS' if passed else 'FAIL'}] {len(violations)} policy violations found")
    for v in violations[:10]:
        print(f"  [{v.severity}] {v.file}: {v.message[:100]}")

    if args.fail_on_violations and not passed:
        sys.exit(1)


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 1.8 KB
Keep exploring